Skip to content

Commit

Permalink
Merge pull request #57 from fermitools/drop-more-returns
Browse files Browse the repository at this point in the history 
Not checking return code, so drop them
  • Loading branch information
@jcpunk
jcpunk authored May 29, 2024
2 parents 8a60846 + 07f04db commit 5ffb63f
Showing 1 changed file with 24 additions and 24 deletions.
48 changes: 24 additions & 24 deletions src/C/kcron_seccomp.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,39 +65,39 @@ int set_kcron_seccomp(void) {
/* Basic features */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'rt_sigreturn'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'brk'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'exit'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'exit_group'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}

/* Permitted actions */
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(geteuid), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'geteuid'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getuid), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'getuid'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getgid), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'getgid'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}

Expand All @@ -107,7 +107,7 @@ int set_kcron_seccomp(void) {
*/
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, 1)) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'write' to stdout.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}

Expand All @@ -116,7 +116,7 @@ int set_kcron_seccomp(void) {
*/
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, 2)) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'write' to stderr.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}

Expand All @@ -127,13 +127,13 @@ int set_kcron_seccomp(void) {
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 0) != 0) {
/* not sure how to restrict this to the args I want */
(void)fprintf(stderr, "%s: Cannot set allowlist 'openat'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}

if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 1, SCMP_A0(SCMP_CMP_EQ, 3)) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'close'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}

Expand All @@ -142,22 +142,22 @@ int set_kcron_seccomp(void) {
*/
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, 4)) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'write' to our file handle.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 1, SCMP_A0(SCMP_CMP_EQ, 4)) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'close'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fsync), 1, SCMP_A0(SCMP_CMP_EQ, 4)) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'fsync' on file handle.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmod), 2, SCMP_A0(SCMP_CMP_EQ, 4), SCMP_A1(SCMP_CMP_EQ, _0600)) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'fchmod' for mode 0600 only.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}

Expand All @@ -166,49 +166,49 @@ int set_kcron_seccomp(void) {
*/
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'fstat'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'stat'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'newfstatat'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mkdir), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'mkdir'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchown), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'fchown'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}


#if USE_CAPABILITIES == 1
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(capget), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'capget'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(capset), 0) != 0) {
(void)fprintf(stderr, "%s: Cannot set allowlist 'capset'.\n", __PROGRAM_NAME);
seccomp_release(ctx);
(void)seccomp_release(ctx);
exit(EXIT_FAILURE);
}
#endif

/* Load rules */
seccomp_load(ctx);
(void)seccomp_load(ctx);

/* Release memory */
seccomp_release(ctx);
(void)seccomp_release(ctx);

return 0;
}
Expand Down

0 comments on commit 5ffb63f

Please sign in to comment.